MCPspy

v1.0.0Monitoring & Observabilitystable

MCP Monitoring with eBPF

aiai-securityllmmcpmonitoring
Share:
512
Stars
0
Downloads
0
Weekly
0/5

What is MCPspy?

MCPspy is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to mcp monitoring with ebpf

MCP Monitoring with eBPF

This server falls under the Monitoring & Observability category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • MCP Monitoring with eBPF

Use Cases

MCP server monitoring
eBPF-based introspection
Security analysis
alex-ilgayev

Maintainer

LicenseApache-2.0
Languagec
Versionv1.0.0
UpdatedMay 21, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx mcpspy

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MCPspy

MCPSpy is a Linux command-line tool that uses eBPF (Extended Berkeley Packet Filter) technology to monitor Model Context Protocol communication at the kernel level in real time. It hooks into low-level system calls to intercept JSON-RPC 2.0 messages flowing between MCP clients and servers over both stdio and HTTP/HTTPS transports, including Server-Sent Events. Security teams, developers, and compliance engineers use MCPSpy to detect prompt injection attacks, audit tool executions, debug MCP integrations, and ensure sensitive data is not leaking through AI tool channels.

Prerequisites

  • Linux with kernel version 5.15 or later (eBPF requirement — macOS and Windows are not supported)
  • Root privileges (sudo) to load eBPF programs into the kernel
  • For prompt injection detection: a HuggingFace account and API token (HF_TOKEN)
  • For building from source: Go 1.24+, clang, llvm, libbpf-dev, make
  • An MCP client and server already running (MCPSpy monitors existing traffic; it does not replace them)
1

Download the pre-built binary

Download the correct MCPSpy binary for your platform from GitHub Releases. The script auto-detects your OS and architecture.

BIN="mcpspy-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')"
wget "https://github.com/alex-ilgayev/mcpspy/releases/latest/download/${BIN}"
chmod +x "${BIN}"
sudo mv "${BIN}" /usr/local/bin/mcpspy
2

Start monitoring in TUI mode

Run MCPSpy with root privileges. The default TUI mode gives you a live terminal dashboard of MCP messages. Press 'q' to exit.

sudo mcpspy
3

Run with static console output or save to file

Disable the TUI for scripting or pipe output to a JSONL file for later analysis.

# Console output (no TUI)
sudo mcpspy --tui=false

# Save all messages to JSONL
sudo mcpspy -o output.jsonl
4

Enable prompt injection detection

MCPSpy integrates with HuggingFace Inference API to run a prompt injection classifier on every MCP tool call and response. You need a HuggingFace token.

sudo mcpspy --security --hf-token=hf_xxxxx
5

Deploy as a Kubernetes DaemonSet

For cluster-wide monitoring of MCP traffic from LangFlow, LangGraph, or other AI services, deploy MCPSpy as a Kubernetes DaemonSet so it runs on every node.

kubectl apply -f https://raw.githubusercontent.com/alex-ilgayev/mcpspy/main/deploy/kubernetes/mcpspy.yaml

MCPspy Examples

Client configuration

MCPSpy is a standalone monitoring binary, not an MCP server itself. Run it alongside your existing MCP setup. The Docker run command below is useful for containerized environments.

{
  "note": "MCPSpy runs as a standalone eBPF monitor, not as an MCP server.",
  "docker_run": "docker run --rm -it --privileged ghcr.io/alex-ilgayev/mcpspy:latest",
  "binary_usage": "sudo mcpspy --security --hf-token=hf_xxxxx --security-threshold=0.7"
}

Prompts to try

MCPSpy is a monitoring CLI, not an MCP server you interact with through natural language. These are the key command-line invocations.

- sudo mcpspy                                      # TUI mode, monitor all MCP traffic
- sudo mcpspy --tui=false -o audit.jsonl           # Log all messages to file
- sudo mcpspy --security --hf-token=hf_xxx        # Enable injection detection
- sudo mcpspy --security --security-threshold=0.7 # Tighten detection sensitivity
- docker run --rm -it --privileged ghcr.io/alex-ilgayev/mcpspy:latest

Troubleshooting MCPspy

MCPSpy fails with 'operation not permitted' or eBPF errors on startup

MCPSpy requires root privileges and Linux kernel 5.15+. Always run with 'sudo mcpspy'. Verify your kernel version with 'uname -r'. Kernels older than 5.15 do not support the required eBPF features.

MCPSpy runs on Linux only — how do I use it on macOS or in Docker Desktop?

eBPF is a Linux kernel technology and MCPSpy does not support macOS or Windows natively. For local development on macOS, use the Docker image with --privileged flag on a Linux VM, or use GitHub Codespaces which provides a Linux environment.

Prompt injection detection returns no results or errors with HuggingFace

Ensure your HuggingFace token is valid and that you have access to the inference API. The default model is protectai/deberta-v3-base-prompt-injection-v2. You can specify an alternative with --security-model=<model-id> or adjust the threshold with --security-threshold=0.5 (lower = more sensitive).

Frequently Asked Questions about MCPspy

What is MCPspy?

MCPspy is a Model Context Protocol (MCP) server that mcp monitoring with ebpf It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MCPspy?

Follow the installation instructions on the MCPspy GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with MCPspy?

MCPspy works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MCPspy free to use?

Yes, MCPspy is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.

Browse More Monitoring & Observability MCP Servers

Explore all monitoring & observability servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mcpspy": { "command": "npx", "args": ["-y", "mcpspy"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MCPspy?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides